6. TYPES OF TICKETS
• Forwardable/forwarded
A forwardable ticket can be sent from one host to another host, obviating the need for a client to reauthenticate
itself. For example, if the user david obtains a forwardable ticket while on user jennifer's machine, he can log in to
his own machine without having to get a new ticket (and thus authenticate himself again).
• Initial
An initial ticket is a ticket that is issued directly, not based on a ticket-granting ticket. Some services, such as
applications that change passwords, can require tickets to be marked initial in order to assure themselves that the
client can demonstrate a knowledge of its secret key. An initial ticket indicates that the client has recently
authenticated itself, instead of relying on a ticket-granting ticket, which might have been around for a long time.
• Invalid
An invalid ticket is a postdated ticket that has not yet become usable. An invalid ticket will be rejected by an
application server until it becomes validated. To be validated, a ticket must be presented to the KDC by the client
in a ticket–granting service request, with theVALIDATE flag set, after its start time has passed.
6 http://www.stallies.net
7. TYPES OF TICKETS (CONTINUED)
• Postdatable/postdated
A postdated ticket is a ticket that does not become valid until some specified time after its creation. Such a ticket
is useful, for example, for batch jobs that are intended to be run late at night, because the ticket, if stolen, cannot
be used until the batch job is to be run. When a postdated ticket is issued, it is issued as invalid and remains that
way until its start time has passed, and the client requests validation by the KDC. A postdated ticket is normally
valid until the expiration time of the ticket-granting ticket. However, if the ticket is marked renewable, its lifetime is
normally set to be equal to the duration of the full life of the ticket-granting ticket.
• Proxiable/proxy
At times, it is necessary for a principal to allow a service to perform an operation on its behalf. The principal name
of the proxy must be specified when the ticket is created. A proxiable ticket is similar to a forwardable ticket,
except that it is valid only for a single service, whereas a forwardable ticket grants the service the complete use
of the client's identity. A forwardable ticket can therefore be thought of as a sort of super-proxy.
• Renewable
Because it is a security risk to have tickets with very long lives, tickets can be designated as renewable. A
renewable ticket has two expiration times: the time at which the current instance of the ticket expires, and the
maximum lifetime for any ticket, which is one week. If a client wants to continue to use a ticket, the client renews it
before the first expiration occurs.
7 http://www.stallies.net